Nothing sets the technical journalists abuzz like the prospect of a catastrophic, Internet-wide vulnerability. Fresh off the very legitimate excitement over Heartbleed, some media outlets were hoping for a new scoop with “Covert Redirections”. Spoiler alert: there’s no catastrophe.
For those that haven’t heard, this started with a paper and series of blog posts by Wang Jing. Wang describes an attack against websites that use third-party authentication services and are vulnerable to a specific type of Open Redirection. He named this attack “Covert Redirection”.
Covert Redirection attacks are actually only one variant of a much larger group of attacks that can be described as Third-Party Auth Token Thefts. There are two important concepts to understand: third-party authentication or authorization and URL-based data routing.
I got to spend a little time playing the DEFCON 22 quals this previous weekend, presented by the Legitimate Business Syndicate (LegitBS), several of members of which are players in previous DEFCON CTF games. I didn't manage to make it very far, but such is life! I completed three of the four "Baby's First" challenges and would like to share my solutions with you.
Recently, I've been trying to improve my skills with regards to exploiting memory corruption flaws. While I've done some work in the past with exploiting basic buffer overflows, format string issues, etc., I'd only done the most basic work in bypassing non-executable stack and ASLR.
I decided that I wanted to learn how to exploit a basic stack-based overflow when both NX and ASLR are in use. Below I explain my process and what I learned.
The 17th of April fell this week, which means it is Oracle Critical Patch Update (CPU) time. The April 2014 CPU contains 104 fixes across Oracle’s Database, Fusion Middleware, E-Business Suite, PeopleSoft, Siebel, iLearning, Oracle and Sun Systems Product Suite, MySQL, Oracle Linux and Virtualization and Oracle Java.
Read on for more information about what's included in this month's update.
Apart from our typical application penetration testing engagements, clients sometimes come to us looking to test the resiliancy of various security mechanisms they want to apply to their applications. This was the case a few weeks ago when one of our larger clients approached us and asked us to test a copy protection, DRM solution for one of their Android applications.
Attacking copy protection is usually a combination of both static and dynamic analysis. This includes looking at the reverse-engineered source code to figure out how the copy protection worked and to find any encryption keys, as well as, watching the application transform into the unencrypted version.
Our first step was to reverse engineer the target .apk file using dex2jar and JD-GUI to see the obfuscation.
Our web honeypots picked up some increased exploit attempts for an old Joomla Content Editor (JCE) Extension vulnerability.
OWASP is again participating in the Google Summer of Code (GSoC) Program for 2014 by acting as a Mentoring Organization. This is an outstanding opportunity for college students to get a chance to contribute to open source projects, gain experience and make some money over the summer. Here is a quick graphic that shows how GSoC works:
There are many OWASP Project Ideas for students to choose from.
In a previous blog post, I provided "Method of Entry" analysis for a ColdFusion compromise baed on sanitized data from a SpiderLabs IR/Forensics team investigation which resulted in the attacker's installing a malicious IIS module that captured customer credit card data. In this blog post, we will analyze another ColdFusion compromise that again resulted in customer credit card data being stolen, however the initial vulnerability and exfiltration methods differed.
Thanks to my SpiderLabs colleagues Jon Spruill, Grayson Lenik and Ryan Jones (IR/Forensics), Ryan Linn (Pentest) and Chris Woodbury (Research - Vulnerability Analysis Team), for assistance with this blog post.
There were news stories this week outlining how attackers are abusing the XML-PRC "pingback" feature of WordPress blog sites to launch DDoS attacks on other sites. This blog post will provide some analysis on this attack and additional information for websites to protect themselves.